Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: possible rooted systems

from [kyle] Network Security [Permanent Link]
Subject: Re: possible rooted systems
Date: Thu, 28 Oct 2004 13:58:25 -0500 
Yes, but that doesn't show what the traffic consists of, and due to some of 
the software we run that have very dynamic port usage, it'll just let us know 
some computers are using said ports. Web site traffic on the other hand we 
can fully know without an issue, but for a root kit/trojan/malware/adware to 
show on the firewall, it would have to trigger border manager as a invalid or 
disallowed site, and if it tripped that then it wouldn't be bogging down our 
internet because it would be blocked already before it hit the T1. 
Its been determined we need a packet sniffer for the job that works on novell 
(we've tried alot already, and the only other option to get a packet sniffer 
in the line is to redo the gateways though a nix box we have set aside as a 
sniffer) though I'm ofcourse going to make a strong recommendation that we 
setup a permanate sniffer in the line for next year. 

Kyle
On Thursday 28 October 2004 12:34 pm, you wrote:

Kyle,

If you believe you have been compromised I say start investigating the
issue. Check the firewall logs for outbound and inbound connections on non
standard ports. Once you do that check standard ports. See if you see any
irc ports in use. For the *ware issue (* being and form of the ware family)
I suggest to start off small using a free product liek ad-aware and start
from there. Unfortuantly in a school enviroment you will have that issue
and most likely you can not switch browsers to a less vulnerable one.

Either way check the logs on the firewall for abnormal usage (you should
know your network the bess, to tell whats normal and abnormal).

Quoting kyle <kyle@inetconnection.com>:

I am a lan administrator at a small school system with a T1 line for the
internet. Lately I've noticed that the T1 line has been maxed, and a week
later, it still is maxed out. I strongly believe that a few systems have
been rooted (no viruses/trojans show up on scans) and need a novell based
packet sniffer to determine what is legitimate and illegitimate traffic.
Does anyone know of any good ones? We run many xp and 98 boxes with
multiple novell servers. I think some of the 98 boxes are the ones that
were rooted On using them I've noticed one common thing on every one of
them at that building. spyware beyond usage (current record 35000 entries
before adaware locked up). I know how I can just fix it, but I need some
sort of log so I can justify my means. ;)
Thanks
Kyle
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: possible rooted systems, David Gillett
Next by Date:  Re: Allowing scanning from home, Adam Jones
Previous by Thread:  Re: possible rooted systems, mike
Next by Thread:  RE: possible rooted systems, AndrewC
Indexes:  [Date] [Thread] [Top] [All Lists]